Guidelines for Administering vNET Specific Commands
The purpose of vNET objects is to provide independent network domains whose administrators can manage a set of dedicated resources without having to involve the network/fabric administrator, but within the constraints that the network/fabric had administrators defined their roles.
Access control is performed based on the scope of a vNET, which includes several dedicated ports on which it is possible to apply certain commands or use certain dedicated resources.
The applicable dedicated resources include the following categories of commands with vNET admin scope, as below:
- Layer 1 commands (i.e., port-related commands):
- port-show (shows vNET ports but not internal/cluster ports)
- port-phy-show (shows managed and shared ports)
- port-config-modify/show (shows managed ports)
- bezel-portmap-show (shows managed ports)
- port-vnet-show (shows managed ports)
- Layer 2 commands (i.e., VLAN/LACP/STP/vLAG commands allowed on managed ports only):
- port-lacp-modify/show
- vlag-create/modify/delete
- trunk-create/modify/delete
- stp-port-modify/show/stp-portevent-show
- port-config-modify port <port_num> speed <speed> command is allowed for vNET manager only on vNET admin managed ports.
- A vNET admin is not allowed to change the native VLAN (untagged VLAN) on a shared port with the port-vlan-add command.
- For vlan-create commands, only VLANs allotted to the vNET admin can be configured.
- Layer 3 commands (i.e., vRouter commands, where the scope is local for the vNET):
- static-ecmp-group-show/static-ecmp-group-nh-show
- vrouter-ping/traceroute
- bridge-domain-*
- subnet-create to configure multiple subnets to a single VRF
- Security and Services commands (i.e., vFlow and QoS commands on ports managed by the vNET admin)
- vflow-create/vflow-modify (only ports managed by the vNET admin are allowed for vFlow qualifiers and actions. The vlan range and vxlan range should be within the vNET VLAN and vNET VXLAN range).
- port-cos-bw-* commands (supported for ports managed by the vNET admin only).
- mirror-create/modify commands
Caution: We recommend NOT to use the vNET feature while configuring port mirroring (mirror-create/mirror-modify commands) and minimum and maximum bandwidth on ports (port-cos-bw-modify command) features as vNET functionality is not supported in NetVisor version 7.1.0 and later.
Note: If any of the above commands are run on a port not in the scope of a vNET, a No permission for port 'port = %d' message is displayed, for example like so:
CLI (network-admin@switch) > vlag-create name vl1 port 99 peer-port 99
vlag-create: No permission for port 'port = 99'
Let us consider an example of vNET creation and see how the above commands behave within it:
CLI (network-admin@switch) > vnet-create name vn1 scope fabric vlan-type private public-vlans 2000-2099 num-private-vlans 10 num-bridge-domains 3 vxlans 10000100-10000109 managed-ports 9,17 shared-ports 18 shared-port-vlans 105-109
Creating vn1-mgr zone, please wait...
With this command the network administrator creates a vNET as a dedicated domain comprising managed and shared ports as well as private and public VLANs and VXLAN IDs. In other words, the fabric admin is partitioning the resources to provide a dedicated and restricted view on the network for the vNET admin.
The following examples show how a vNET’s view gets constrained for each command:
CLI (network-admin@switch) > port-show
switch port bezel-port status config
------ ---- ---------- ---------- ------
switch 9 9 up,vlan-up fd,10g
switch 17 17 disabled fd,10g
switch 18 18 disabled fd,10g
In this example the vNET admin can only view the managed and shared ports chosen as part of the vNET creation process, out of all the front panel ports.
Note: When you run the port-show command for a private vNET, only vNET managed ports are displayed. But for a public vNET, all ports except internal ports and cluster ports are displayed.
Starting with NetVisor OS version 7.0.0, a new CLI command, port-vnet-show is available to view the ports that are assigned to vNETs and the respective VLANs of a vNET. This command displays the details that you had configured after you had added port(s) using the vnet-port-add command:
CLI (network-admin@switch) > port-vnet-show
name name-string |
The name of the virtual network (vNET). |
managed-ports port-list |
The list of vNET exclusive ports. |
num-vlans 1..4094 |
The number of global VLANs assigned to this vNET. This is a number between 1 and 4094. |
vlans vlan-list |
The VLANs assigned to public VLAN vNET. |
For example, if you had configured ports 9, 17, 18 and VLANs 3 and 5 on vNET vn1-global, then the output looks like:
CLI (network-admin@switch) > port-vnet-show
name managed-ports num-vlans vlans
---------- ------------- --------- ---------
vn1-global 9,17 10 2000-2099
To view the PHY details, use the command:
CLI (network-admin@switch) > port-phy-show
port bezel-port state speed eth-mode max-frame def-vlan
---- ---------- ----- ----- ---------- --------- --------
9 9 up 10000 10Gbase-cr 1540 0
17 17 down 10000 10Gbase-cr 1540 1
18 18 down 10000 10Gbase-cr 1540 0
Also, the front panel and PHY information is constrained to the ports selected as part of the vNET creation process. Port configuration gets constrained too, for example:
CLI (network-admin@switch) > port-config-show format port,enable,
port enable
---- ------
9 on
17 off
Regarding the Layer 2 configuration, these commands also get a constrained view:
CLI (network-admin@switch) > port-vlan-add port 9 untagged-vlan 45
port-vlan-add: No permission to modify untagged-vlan field
As displayed, untagged VLANs are prevented from being changed.
The vLAGs can be created only using accessible ports (as port 9 in the example below):
CLI (network-admin@switch) > vlag-create name vl1 port 9 peer-port 9
CLI (network-admin@switch) > port-lacp-show layout vertical
switch: switch
port: 9
name: v11
port-type: vlag
mode: passive
timeout: slow
system-id: 66:0e:94:b6:ab:01
lacp-key: 36285
system-priority: 32768
port-priority: 32768
aggregatable: yes
sync: yes
coll: yes
dist: no
defaulted: yes
expired: no
port-state: 0x5c
whereas inaccessible ports are blocked in the configuration:
CLI (network-admin@aquarius00) > vlag-create name vl1 port 99 peer-port 99
vlag-create: No permission for port 'port = 99'
Similarly, a VLAN trunk can be created (and then deleted) using accessible ports 9 and 10 like so:
CLI (network-admin@switch) > trunk-create name t ports 9-10
trunk 273 defer-bringup set to 1 based on first port 9
Created trunk t, id 273
CLI (network-admin@switch) > trunk-show format name,trunk-id,ports
name trunk-id ports
-------------------- -------- -----
t 274 9-10
vxlan-loopback-trunk 397
CLI (network-admin@switch) > trunk-delete name t
Furthermore, spanning tree (STP) commands are limited to accessible ports only:
CLI (network-admin@switch) > stp-port-show port 10
port block filter edge bpdu-guard root-guard priority cost
---- ----- ------ ---- ---------- ---------- -------- ----
10 on off no no no 128 2000
CLI (network-admin@switch) > stp-port-modify port 53 cost 10000
stp-port-modify: No permission over ports 53
CLI (network-admin@switch) > stp-port-event-show
switch time port vlan instance count initial-state other-state final-state
------- -------- ---- ------ -------- ----- ------------- ---------- -----------
switch 01:13:52 17 1,4094 0 3 Disabled Disabled Forwarding
switch 01:15:42 9 1 0 1 Disabled Disabled Discarding
switch 01:16:02 9 1 0 1 Discarding Disabled Learning
switch 01:16:12 9 1 0 1 Learning Disabled Forwarding
switch 01:17:53 17 1 0 1 Forwarding Disabled Disabled
switch 01:17:53 9 1 0 1 Forwarding Disabled Disabled
switch 01:29:00 17 4094 0 1 Disabled Disabled Forwarding
Further, for Layer 3 configuration, these commands display a constrained view:
The vRouter commands get constrained too (to accessible VLANs and interfaces) like so:
CLI (network-admin@switch) > vrouter-create name vr1 vnet vn1 router-type hardware
Creating vr1 zone, please wait...
vrouter created
As stated in the overview section, only a network admin can create vRouters. A permission error is displayed if a vNET admin tries to create vRouters as in below example:
CLI (vnet1-admin@switch) > vrouter-create name vr1 vnet vnet1
vrouter-create: No permission to create vrouter in vnet manager
CLI (network-admin@switch) > vrouter-interface-add vrouter-name vr1 ip 192.168.99.13/24 vlan 100
Added interface eth0.100 with ifIndex 159
CLI (network-admin@switch) > vrouter-interface-show format vrouter-name,nic,ip,vnet,vlan,vlan-type,nic-state,mtu
vrouter-name nic ip vnet vlan vlan-type nic-state mtu
------------ -------- ---------------- ---- ---- --------- --------- ----
vr1 eth0.100 192.168.99.13/24 vn1 100 private up 1500
The static-ecmp-group-* commands are allowed only within the vNET scope ¬(local) and duplicate entries from other switches are blocked when logged in as vnet-admin. For example:
CLI (network-admin@switch) > vnet-create name VNET2 scope fabric
Creating VNET2-mgr zone, please wait...
Vnet created. Vlans assigned: 5
CLI (network-admin@switch) > vrouter-create name vr_fabric vnet VNET2 router-type hardware
Creating vr_fabric zone, please wait...
vrouter created
CLI (network-admin@switch) > static-ecmp-group-create group-name G1 scope fabric vrouter-name vr_fabric hash-type non-resilient
CLI (network-admin@switch) > static-ecmp-group-nh-add group-name G1 ip 1.1.1.1
CLI (network-admin@switch) > vnet-create name vnet2-data scope fabric
Creating vnet2-data-mgr zone, please wait...
Vnet created. Vlans assigned: 6
root@switch:~# lxc-attach -n vnet2-data-mgr
root@vnet2-data-mgr:~# nvOS_cli --quiet static-ecmp-group-show
root@vnet2-data-mgr:~# exit
root@switch:~# lxc-attach -n VNET2-mgr
root@VNET2-mgr:~# nvOS_cli --quiet static-ecmp-group-show
group-name scope vrouter-name hw-ecmp-id hash-type
---------- ------ ------------ ---------- -------------
G1 fabric vr_fabric 200000 non-resilient
root@VNET2-mgr:~# nvOS_cli --quiet static-ecmp-group-nh-show
group-name ip vlan egress-id
---------- ------- ---- ---------
G1 1.1.1.1 0 -1
root@VNET2-mgr:~# exit
CLI (network-admin@switch) > vnet-create name VNET1 scope cluster
Creating VNET1-mgr zone, please wait...
Vnet created. Vlans assigned: 7
CLI (network-admin@switch) > vrouter-create name vr_cluster vnet VNET1
Creating vr_cluster zone, please wait...
vrouter created
CLI (network-admin@switch) > static-ecmp-group-create group-name G2 scope cluster vrouter-name vr_cluster hash-type non-resilient
CLI (network-admin@switch) > static-ecmp-group-nh-add group-name G2 ip 2.1.1.1
On the Global vNET, you can view all details, for example:
CLI (network-admin@switch) > static-ecmp-group-show
switch group-name scope vrouter-name vrid hw-ecmp-id hash-type
------- ---------- ------- ------------ ---- ---------- -------------
switch1 G1 fabric -1 -1 non-resilient
switch2 G1 fabric vr_fabric 200000 non-resilient
switch1 G2 cluster -1 -1 non-resilient
switch2 G2 cluster vr_cluster 1 200001 non-resilient
root@switch:~# lxc-attach -n vnet2-data-mgr
root@vnet2-data-mgr:~# nvOS_cli --quiet static-ecmp-group-nh-show
root@vnet2-data-mgr:~# exit
root@switch:~# lxc-attach -n VNET2-mgr
root@VNET2-mgr:~# nvOS_cli --quiet static-ecmp-group-nh-show
switch group-name ip vlan egress-id
------ ---------- ------- ---- ---------
switch G1 1.1.1.1 0 -1
root@VNET2-mgr:~# nvOS_cli --quiet static-ecmp-group-show
switch group-name scope vrouter-name hw-ecmp-id hash-type
------ ---------- ------ ------------ ---------- -------------
switch G1 fabric vr_fabric 200000 non-resilient
root@VNET2-mgr:~# exit
root@switch:~# lxc-attach -n VNET1-mgr
root@VNET1-mgr:~# nvOS_cli --quiet static-ecmp-group-show
switch group-name scope vrouter-name vrid hw-ecmp-id hash-type
------ ---------- ------- ------------ ---- ---------- -------------
switch G2 cluster vr_cluster 1 200001 non-resilient
root@VNET1-mgr:~# exit
Displays a constrained view of the vrouter-ping/traceroute commands as well:
CLI (network-admin@switch) > vrouter-ping vrouter-name vr1 host-ip 192.168.99.13
PING 192.168.99.13 (192.168.99.13) 56(84) bytes of data.
64 bytes from 192.168.99.13: icmp_seq=1 ttl=64 time=0.066 ms
64 bytes from 192.168.99.13: icmp_seq=2 ttl=64 time=0.071 ms
64 bytes from 192.168.99.13: icmp_seq=3 ttl=64 time=0.063 ms
^C
--- 192.168.99.13 ping statistics ---